SAML or other federation technology?

Eight months ago, @kjg asked a question about SAML support. The answer, preplexingly, read:

'It is an often requested feature that we are not going to include in our product line. [Here |https://jira.atlassian.com/browse/CWD-1822] is the feature request page where developers have commented on the issue. You can see that it has been resolved as "Won't Fix."'

Puzzled why you would reject an 'often requested feature' I tried the link to find the page has been deleted. Does this mean you've changed your mind and will be supporting SAML in the future?

I work in the team charged with protecting our identity systems. We've had various proposals for linking cloud apps to our AD infrastructure and rejected them all. Federation is our preferred (in fact, our only) mechanism. We currently use ADFS 2.0. We're prepared to look at other federation technology but no cloud app is getting it's claws into our AD and we're not setting up and maintaining another directory with 10s of 000s of users because the costs are prohibitive. If you don't do SAML, what other options are there?

9 answers

1 accepted

I'm also with the group on this one. I've just been charged with finding a SAML solution for JIRA, and also don't want to go with a third party. I'm not sure anything third party would even be approved by our security department, because we're a bank and security is everything here. It would be the best solution if Atlassian handled it since JIRA is their application and it's already approved here at our company.

Thanks for sorting out the link. But it doesn't answer my questions.

To repeat:

  • why aren't you supporting SAML? (Maybe there's something I've missed about its use in such situations?)
  • what do you think enterprises with thousands of users should use, (other than getting a third party to do the SAML integration)?

I'm never a fan 3rd parties because when something doesn't work, they'll blame you and you'll blame them and we'll be stuck with something that doesn't work. And our users will blame us.

To partially address the first question, we are supporting SAML for Google Apps integration. Anything beyond that we are not currently supporting.

In regards to both questions, we provide for this by having the option to download the product and host it locally (or with another vendor); in this situation you have access to the source code and can also implement any authentication you would like; which is generally the way the product would be used by enterprises with thousands of users.

For the OnDemand product, implementing any additional SAML functionality is not a priority at this moment (you can see from the issue link that it only has 7 votes), and more work needs to be done with integrating the authentication before this could be considered.

Thanks for the reply. It's not my department but I'm under the impression that the Google route is rather expensive.

I guess enterprises did host locally in the past - we certainly did. And before that, we wrote everything ourselves, on the mainframe. But now our business divisions want quick and dirty (at least, that's what they say they want - I suspect the reality will be different but they'll have to face that reality before they know it, I guess). And they've had the world and its dog telling them cloud is the answer. "With cloud there's no maintenance", etc. Four out of the last five projects I've been involved with have started by looking at the cloud.

Actually, I don't see a difference between cloud and local: I'd still want to do AuthN and AuthZ with SAML but I don't expect to have to write my own. My users want single-sign-on. There's no easy way to do that, unless everything is hosted on Windows (and it isn't). And SAML is the best we've go there, too.

Perhaps it only has 7 votes because you can't vote on a resolved issue? If you hadn't pointed it out, I wouldn't have thought to look because I don't use this platform and I'm not familiar with that approach.

You didn't really even partially address the first question because I asked why. If you've decided not to support a standard protocol, you must have had a reason.

I'm wiht @SSG on his complaints about lack of formal SAML support. I'll likely skip Atlassian products until a realistic federation solution is possible. SSO is more than just sharing users, it's an experience that allows managing of a users session across multiple applications and thus increases usability.

Maybe sometime this will become a priority? I too do not wish to enjoy the burden of a third party support for this.

0 vote

Hello,

The issue with that URL seems to be the brackets; the ticket still exists at -

https://jira.atlassian.com/browse/CWD-1822

You can see on that the comment that explains our usage and provides info on plugins for SAML if you use the download version of the products:

SAML support in Crowd is limited to the use case of connecting to Google Apps and we will continue to support this feature.

We do not plan on implementing full SAML support in Crowd or JIRA in the foreseeable future.

If SAML support is critical to your deployment, you could consider engaging one of our partners to build upon the existing SAML functionality. The SAML support in Crowd has been implemented as a plugin and it's possible for you to download the source code if you have a license.

Thanks,

-dave

Could you, or someone else from Atlassian, answer *why* full SAML support is not a priority?

adding another voice to the "why?" group

+1 for SAML support for Atlassian OnDemand. Are you not doing it because you sell a competing product (Crowd)?

See https://jira.atlassian.com/browse/CWD-1822for Atlassian's stance.

You'll note that that is a Crowd issue - the point here is that there's never going to be any direct SAML (or in fact any other) support for direct logins, it will all go via Crowd. So you wouldn't make bits of OnDemand SAML enabled, you'd keep it simple and just enable it for Crowd.

I don't believe Atlassian are going to enable the SAML plugin for Crowd in OnDemand for the foreseeable future.

Thanks Nic. Personally I don't care how it's achieved, or at what layer, but I've been looking into enterprise SSO solutions recently and they all rely on SAML. If they had OAuth with Google Apps would even be preferable to our current scenario where users have different credentials for everything.

Annoying there is no SAML support. We can plug most of our platforms (even Google apps) onto our SAML identity provider and its frustrating that one vendor stops us from really making strides with our security.

It feels like old fashioned lock-in thinking by Atlassian, but in the modern world, identity is really the property of the enterprise, which is what SAML is all about, not any one vendor. I imagine as the years roll by that Atlassian will eventually be forced to wake up, and will then look around and see that they have lost market share to vendors who do allow enterprises to manage their own identities.

Also Looking for a way to connect trough ADFS, does anybody have had any luck? 

 

We're also in need of cloud integration with ADFS...any updates Atlassian?

Another user here needing ADFS integration for a server we will be hosting ourselves.  Security requires we use ADFS so they have final say over authentication.

The issue CWD-1822 is referenced several times in this thread but none of the links work nor can I find it via searching.  Did the issue get removed because Atlassian is considering adding this feature?  Any comments from Atlassian?

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Wednesday in Jira

Join our webinar: How 1B+ feature flag events helped us build the new Jira

Every time you release software, there's a bit of risk – that there's a bug, that something breaks, or that the feature doesn't resonate with customers. Feature flagging helps make high stakes s...

93 views 0 1
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you